On 12/05/2014 10:51 AM, Robert Moskowitz wrote:
On 12/05/2014 09:31 AM, Richard wrote:
------------ Original Message ------------
Date: Thursday, December 04, 2014 23:19:52 -0500
From: Robert Moskowitz <r...@htt-consult.com>
On 12/04/2014 07:46 PM, Wietse Venema wrote:
Robert Moskowitz:
On 12/04/2014 07:02 PM, Wietse Venema wrote:
Robert Moskowitz:
My new server does not seem to be allowing yahoo or ymail to
deliver mail.
I do not see anything in maillog, not supprisingly. My son
reports he
Postfix logs all connection attempts, so they are not coming
through some firewall, or they aren't getting your DNS
information.
It worked before the new server, so not a firewall item, as
nothing changed there. As far as DNS, I changed server name in
MX record. I would hope they are getting z9m9z.htt-consult.com
now rather than klovia.htt-consult.com. But there is also the
spf record I added for gmail:
htt-consult.com. IN TXT "v=spf1 mx ~all"
And I do get emails from gmail, and can send them to gmail.
Speaking from experience, a bad netmask on a server can have
surprising effects. So can a bad netmask on a router. It totally
screws up routing, and one has no idea what is going until one
runs a sniffer.
You said something here that triggered a thought....
The new server is on a different internal net than the old, thus
different firewall rules. I checked over all the addressing and
everything there is right, but...
DCC (udp port 6277) was enabled for the old mailserver, but not
the new! Could that be the problem? Well I enabled DCC and we
will see as I just sent a new message from yahoo.
If this does not work, I will move the new server to the old
address. Really intended to do that after I turned down the old
server...
I'm seeing a couple of things when I look at your DNS records:
dig htt-consult.com mx
;; ANSWER SECTION:
htt-consult.com. 43200 IN MX 30 z9m9z.htt-consult.com.
htt-consult.com. 43200 IN MX 40 rigel.htt-consult.com.
;; ADDITIONAL SECTION:
z9m9z.htt-consult.com. 172799 IN A 208.83.67.147
Your first MX host sometimes resolves to 208.83.67.147, which
doesn't appear to be reachable on port 25. When this resolves to
.180 it is.
Probably 4+ years ago a z9m9z was at .147; for the past 3 years hp7310
has been using that address!
Your second MX host rigel.htt-consult.com resolves to 208.83.67.188,
which doesn't appear to be reachable on port 25
That is to handle spammers that go to the last MX record, assuming
that is the real server. It actually stopped 15% of spam coming into
my old server. It is part of the 'nolisting' recommendations. I
dropped the 2 fake pre-MX records, becuase they did not seem to help
too much and just added delay, while the last bad one did not seem to
be causing problems. I am pretty sure I have received yahoo mail with
it in place. I can remove it if makes a difference..
Additionally, given the TTL shown on the z9m9z.htt-consult.com.
A-record, did you bring your TTLs down before you made what I assume
was an MX host IPnumber switch? If not, and that 2-day TTL is
indicative of what you generally use, it could be a bit before the
nameservers that various mail servers use will need to requery (and
if they get the .147 address it likely won't do them any good
anyway).
2 days??? This is the SOA I have been using during these changes:
htt-consult.com. IN SOA onlo.htt-consult.com.
rgm.htt-consult.com. (
2014120201
2H
20M
2W
2H )
I read this as 2Hours TTL.
To debug this type of thing you need to look at what the outside
world is seeing. Query the DNS so that you see results as seen from
the outside, and then try to telnet (from the outside) to the
resulting ipnumbers.
As I have done. I use MiFi on my phone and connect another notebook
to it to look 'in' and did not see this bad IP address that somehow is
long since hung around.
Got a hunch on that....
Just checked all of my secondary NS, and they are showing current zone
information.
